Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A method comprises: detecting, by a computing device, a change to one or more of: a credential pertaining to grant or deny access by a first user group of a first set of storage units supporting a logical storage vault to which the first user group has access and access control information pertaining to the access of the logical storage vault for the first user group having access to the logical storage vault; and in response to the detecting: determining, by the computing device, whether the logical storage vault is in a relationship with another logical storage vault to which a second user group has access, wherein the other logical storage vault is supported by a second set of storage units; when the logical storage vault is in the relationship with the other logical storage vault, determining, by the computing device, whether the logical storage vault is an originating vault or a subservient vault with respect to the other logical storage vault; when the logical storage vault is the originating vault, receiving, by the computing device, from the first set of storage units updated access control information pertaining to access of the logical storage vault by the first user group and sending, by the computing device, to the second set of storage units the updated access control information, wherein the updated access control information is regarding a change to the access control information; and when the logical storage vault is the subservient vault, receiving, by the computing device, from the first set of storage units an updated credential pertaining to access of the logical storage vault by the first user group of the first set of storage units regarding a change to the credential of the first set of storage units.
Storage management and access control. This invention addresses the challenge of maintaining consistent access permissions and credentials across related logical storage vaults, particularly when changes occur within one vault that impacts another. The method involves a computing device detecting a modification to either a user group's access credential for a set of storage units supporting a logical storage vault, or to the access control information for that user group's access to the vault. In response, the system determines if this logical storage vault has a relationship with another logical storage vault, which is supported by a different set of storage units and accessible by a second user group. If such a relationship exists, the system identifies whether the current logical storage vault is the "originating vault" or a "subservient vault" relative to the other. If it's the originating vault, updated access control information reflecting the change is received from the first set of storage units and then sent to the second set of storage units. If it's the subservient vault, an updated credential for the first user group, reflecting the change within the first set of storage units, is received.
2. The method of claim 1 , wherein the credential comprises one or more of: a signed certificate; a key; an authorization token; a user name and password pair; an authorization time frame indicator; a permission list; a type of services granted; and an encryption key.
This invention relates to secure authentication and authorization systems, particularly for verifying and managing credentials in digital environments. The problem addressed is the need for flexible and robust credential handling to ensure secure access control in computing systems. The invention provides a method for processing credentials, where the credential can include various forms of authentication and authorization data. These credentials may comprise a signed certificate, a cryptographic key, an authorization token, a username and password pair, an authorization time frame indicator, a permission list, a type of services granted, or an encryption key. The method ensures that different types of credentials can be validated and used to control access to resources or services. By supporting multiple credential formats, the system enhances security and adaptability, allowing integration with various authentication protocols and authorization frameworks. The invention improves upon existing systems by providing a unified approach to credential management, reducing complexity and improving interoperability across different security mechanisms. This method is particularly useful in environments where multiple authentication methods are required, such as cloud computing, enterprise networks, or distributed systems.
3. The method of claim 1 , wherein the access control information comprises one or more of: authentication information; permission regarding one or more of storing data, reading data, deleting data, and retrieving a list of slice names; and one or more security parameters.
This invention relates to access control mechanisms for data storage systems, particularly in distributed or decentralized environments. The problem addressed is the need for secure and granular access management to stored data, ensuring that only authorized entities can perform specific operations while maintaining data integrity and confidentiality. The method involves managing access control information associated with stored data, where this information includes multiple components. Authentication information verifies the identity of entities attempting to access the data. Permission settings define what actions are allowed, such as storing, reading, deleting data, or retrieving a list of slice names (which may refer to segments of distributed data). Additionally, security parameters may include encryption settings, access time restrictions, or other constraints to further protect the data. The access control information is dynamically applied to enforce permissions, ensuring that only authenticated and authorized entities can perform the permitted operations. This approach enhances security by providing fine-grained control over data access, reducing the risk of unauthorized modifications or data breaches. The system is particularly useful in environments where data is distributed across multiple nodes or where decentralized access control is required.
4. The method of claim 1 further comprises: determining that the logical storage vault is in a unidirectional relationship with the other logical storage vault; determining that the logical storage vault is the originating vault when, in accordance with the unidirectional relationship, a group of user devices of the first user group having access to the logical storage vault have access privileges to the other logical storage vault; and determining that the logical storage vault is the subservient vault when, in accordance with the unidirectional relationship, a group of user devices of the second user group having access to the other logical storage vault have access privileges to the logical storage vault.
In the field of data storage and access management, this invention addresses the challenge of managing unidirectional relationships between logical storage vaults to control data access privileges among user groups. The system involves multiple logical storage vaults, each associated with distinct user groups. The method determines whether a logical storage vault is in a unidirectional relationship with another vault, meaning access flows in one direction only. If a group of user devices from the first user group, which has access to the logical storage vault, also has access privileges to the other vault, the logical storage vault is identified as the originating vault. Conversely, if a group of user devices from the second user group, which has access to the other vault, also has access privileges to the logical storage vault, the logical storage vault is identified as the subservient vault. This ensures that data access is strictly controlled in a predefined direction, preventing unauthorized bidirectional access. The invention enhances security by enforcing hierarchical access rules, where originating vaults serve as primary data sources and subservient vaults act as secondary recipients, maintaining data integrity and compliance with access policies.
5. The method of claim 1 further comprises: determining that the logical storage vault is in a bidirectional relationship with the other logical storage vault; and determining that the logical storage vault is both the originating vault and the subservient vault when, in accordance with the bidirectional relationship, a group of user devices of the first user group having access to the logical storage vault have access privileges to the other logical storage vault and a group of user devices of the second user group having access to the other logical storage vault have access privileges to the logical storage vault.
This invention relates to managing access control in a distributed storage system where logical storage vaults are interconnected. The problem addressed is ensuring proper access privileges in bidirectional relationships between vaults, preventing unauthorized access while maintaining intended sharing permissions. The system involves multiple logical storage vaults, each associated with distinct user groups. Each vault has an originating vault and a subservient vault designation, defining access control hierarchies. The invention enhances this by detecting bidirectional relationships between vaults, where user devices from one vault's user group can access the other vault, and vice versa. When such a bidirectional relationship is identified, the system determines if a vault is simultaneously acting as both the originating and subservient vault in this relationship. This ensures that access privileges are consistently applied in both directions, preventing conflicts or unauthorized access scenarios. The solution helps maintain secure and predictable access control in distributed storage environments with interconnected vaults.
6. The method of claim 1 further comprises: in response to the detecting: determining, by the computing device, whether the logical storage vault is in a second relationship with a second other logical storage vault to which a third user group has access, wherein the second other logical storage vault is supported by a third set of storage units; when the logical storage vault is in the second relationship with the second other logical storage vault, determining whether the logical storage vault is a second originating vault or a second subservient vault with respect to the second other logical storage vault; when the logical storage vault is the second originating vault, receiving, by the computing device, from the first set of storage units, the updated access control information and sending, by the computing device, the updated access control information to the third set of storage units; and when the logical storage vault is the second subservient vault, utilizing, by the computing device, the updated credential for data access requests in accordance with the second relationship.
This invention relates to a method for managing access control information in a distributed storage system where logical storage vaults are organized in hierarchical relationships. The problem addressed is ensuring consistent and secure access control across interconnected storage vaults when access permissions are updated. The method involves detecting a change in access control information for a logical storage vault supported by a first set of storage units. In response, the system determines if the vault has a relationship with another vault accessible by a different user group and supported by a second set of storage units. If such a relationship exists, the system checks whether the vault is an originating vault or a subservient vault in the relationship. For an originating vault, the updated access control information is propagated from the first set of storage units to the second set. For a subservient vault, the updated credentials are applied locally to data access requests based on the established relationship. This ensures that access permissions are synchronized across dependent vaults while maintaining security and consistency in a distributed storage environment.
7. The method of claim 1 , wherein the first set of storage units is affiliated with a first dispersed storage network (DSN) of a plurality of DSNs; and the second set of storage units is affiliated with a second DSN of the plurality of DSNs.
This invention relates to distributed storage systems, specifically methods for managing data across multiple dispersed storage networks (DSNs). The problem addressed is the efficient and secure distribution of data across different DSN environments to enhance redundancy, performance, or security. The method involves storing data using a first set of storage units associated with a first DSN and a second set of storage units associated with a second DSN. Each DSN operates independently, allowing data to be distributed across multiple networks for improved fault tolerance or access control. The storage units within each DSN may be geographically or logically separated, ensuring that data remains available even if one DSN experiences failures or disruptions. The method may also include encoding data before distribution to further enhance reliability or security, such as by using erasure coding techniques to generate encoded data slices for storage across the DSNs. By utilizing multiple DSNs, the system can optimize storage performance, reduce latency, or enforce access policies based on network-specific requirements. The approach is particularly useful in environments where data must be replicated across different administrative domains or geographic regions to meet compliance or operational needs. The method may also support dynamic adjustments, such as reallocating data between DSNs based on usage patterns or network conditions.
8. A computer readable memory comprises: a first memory that stores operational instructions that, when executed by a computing device, cause the computing device to: detect a change to one or more of: a credential pertaining to grant or deny access by a first user group of a first set of storage units supporting a logical storage vault to which the first user group has access and access control information pertaining to the access of the logical storage vault for the first user group having access to the logical storage vault; and a second memory that stores operational instructions that, when executed by the computing device, cause the computing device to: in response to the detecting determine whether the logical storage vault is in a relationship with another logical storage vault to which a second user group has access, wherein the other logical storage vault is supported by a second set of storage units; and when the logical storage vault is in the relationship with the other logical storage vault, determine whether the logical storage vault is an originating vault or a subservient vault with respect to the other logical storage vault; and a third memory that stores operational instructions that, when executed by the first set of storage units, cause the first set of storage units to: when the logical storage vault is the originating vault, send updated access control information pertaining to the access of the logical storage vault to the second set of storage units regarding a change to the access control information; and when the logical storage vault is the subservient vault, send an updated credential of the first set of storage units to the computing device regarding a change to the credential of the first set of storage units.
This invention relates to access control management in distributed storage systems, specifically for logical storage vaults that may have hierarchical relationships with other vaults. The problem addressed is ensuring consistent access control and credential management across interconnected logical storage vaults when changes occur, such as modifications to access permissions or user credentials. The system detects changes to credentials or access control information for a logical storage vault accessible by a first user group. If the vault is related to another vault accessible by a second user group, the system determines whether the vault is an originating vault (primary) or a subservient vault (dependent). For originating vaults, updated access control information is propagated to the related vault's storage units. For subservient vaults, updated credentials are sent to the computing device managing access. This ensures synchronized access control across interconnected vaults, maintaining security and consistency in multi-vault storage environments. The system uses separate memory components to store and execute instructions for detecting changes, determining vault relationships, and propagating updates based on the vault's role in the hierarchy.
9. The computer readable memory of claim 8 , wherein the credential comprises one or more of: a signed certificate; a key; an authorization token; a user name and password pair; an authorization time frame indicator; a permission list; a type of services granted; and an encryption key.
This invention relates to secure credential management in computer systems, specifically for authenticating and authorizing access to services or resources. The problem addressed is the need for flexible and secure credential storage and retrieval in computing environments, particularly where multiple types of credentials may be required for different services or operations. The invention involves a computer-readable memory storing a credential that enables access to a service or resource. The credential can take various forms, including a signed certificate, a cryptographic key, an authorization token, a username and password pair, an authorization time frame indicator, a permission list, a type of services granted, or an encryption key. These credentials are used to verify the identity of a user, device, or system and determine the level of access permitted. The credential may be stored in a secure manner, such as within a hardware security module (HSM) or a trusted execution environment (TEE), to prevent unauthorized access or tampering. The system retrieves the credential when needed, such as during an authentication or authorization process, and presents it to a service provider or resource to grant access. The credential may also include metadata or additional attributes, such as expiration dates or usage restrictions, to further control access. This approach ensures that credentials are securely managed and easily retrievable, reducing the risk of unauthorized access while supporting various authentication and authorization mechanisms. The system is particularly useful in cloud computing, enterprise networks, and IoT environments where multiple services and resources require different types of credentials.
10. The computer readable memory of claim 8 , wherein the access control information comprises one or more of: authentication information; permission regarding one or more of storing data, reading data, deleting data, and retrieving a list of slice names; and one or more security parameters.
This invention relates to secure data storage and access control in a distributed computing environment. The problem addressed is the need for robust access control mechanisms to protect data stored across multiple storage nodes while ensuring efficient and secure data retrieval. The invention involves a computer-readable memory storing access control information that governs how data is managed within a distributed storage system. The access control information includes authentication details to verify user or system identities, permissions for various data operations such as storing, reading, deleting, and listing slice names (which likely refer to data segments or partitions), and security parameters that may include encryption settings, access policies, or other protective measures. The system ensures that only authorized entities can perform specific actions on the stored data, enhancing security while maintaining operational flexibility. The access control information is stored in a way that allows for dynamic updates and enforcement, ensuring that security policies remain current and effective. This approach is particularly useful in environments where data is distributed across multiple nodes, requiring coordinated and consistent access control to prevent unauthorized access or data breaches. The invention aims to provide a scalable and secure method for managing data access in distributed storage systems.
11. The computer readable memory of claim 8 , wherein the second memory further stores operational instructions that, when executed by the computing device, cause the computing device to: determine that the logical storage vault is in a unidirectional relationship with the other logical storage vault; determine that the logical storage vault is the originating vault when, in accordance with the unidirectional relationship, a group of user devices of the first user group having access to the logical storage vault have access privileges to the other logical storage vault; and determine that the logical storage vault is the subservient vault when, in accordance with the unidirectional relationship, a group of user devices of the second user group having access to the other logical storage vault have access privileges to the logical storage vault.
A system for managing access control in a distributed storage environment involves logical storage vaults with unidirectional relationships to enforce hierarchical access privileges. The system includes a computing device with memory storing operational instructions. When executed, these instructions determine the relationship between two logical storage vaults, where one vault is designated as the originating vault and the other as the subservient vault based on access privileges. In a unidirectional relationship, user devices of a first user group with access to the originating vault have access privileges to the subservient vault, while user devices of a second user group with access to the subservient vault do not have reciprocal access to the originating vault. This ensures controlled data flow and prevents unauthorized access between vaults. The system dynamically evaluates access rights to enforce the unidirectional relationship, maintaining security and compliance in multi-user storage environments. The solution addresses challenges in managing hierarchical access in distributed systems, particularly where strict access control policies are required.
12. The computer readable memory of claim 8 , wherein the second memory further stores operational instructions that, when executed by the computing device, cause the computing device to: determine that the logical storage vault is in a bidirectional relationship with the other logical storage vault; and determine that the logical storage vault is both the originating vault and the subservient vault when, in accordance with the bidirectional relationship, a group of user devices of the first user group having access to the logical storage vault have access privileges to the other logical storage vault and a group of user devices of the second user group having access to the other logical storage vault have access privileges to the logical storage vault.
This invention relates to a system for managing access privileges between logical storage vaults in a computing environment. The problem addressed is ensuring proper synchronization and access control in bidirectional relationships between storage vaults, where users from one vault may need access to another vault and vice versa. The system involves a computing device with memory storing operational instructions. The memory includes a first logical storage vault associated with a first user group and a second logical storage vault associated with a second user group. The instructions enable the computing device to determine whether the two vaults are in a bidirectional relationship, meaning that users from the first group can access the second vault and users from the second group can access the first vault. Additionally, the system identifies when a single vault acts as both the originating vault (the primary source of access) and the subservient vault (the dependent recipient of access) in this bidirectional relationship. This ensures that access privileges are correctly synchronized and enforced between the two vaults, preventing conflicts or unauthorized access. The system helps maintain consistent access control policies across interconnected storage vaults, improving security and usability in shared storage environments.
13. The computer readable memory of claim 8 further comprises: the second memory further stores operational instructions that, when executed by the computing device, cause the computing device to: in response to the detecting: determine whether the logical storage vault is in a second relationship with a second other logical storage vault, wherein the second other logical storage vault is supported by a third set of storage units to which a third user group has access; and when the logical storage vault is in the second relationship with the second other logical storage vault, determine whether the logical storage vault is a second originating vault or a second subservient vault with respect to the second other logical storage vault; the third memory further stores operational instructions that, when executed by the first set of storage units, cause the first set of storage units to: when the logical storage vault is the second originating vault, send the updated access control information to the third set of storage units; and a fourth memory that stores operational instructions that, when executed by the computing device, cause the computing device to: when the logical storage vault is the second subservient vault, utilize the updated credential for data access requests in accordance with the second relationship.
This invention relates to a system for managing access control in a distributed storage environment where multiple logical storage vaults are interconnected. The problem addressed is ensuring consistent and secure access control propagation across related storage vaults when access permissions are updated. The system involves a computing device and multiple storage units supporting different user groups. When an access control update is detected for a logical storage vault, the system determines if that vault has a relationship with another vault supported by a different set of storage units. If a relationship exists, the system checks whether the vault is an originating vault (primary) or a subservient vault (dependent). For originating vaults, the updated access control information is propagated to the related vault's storage units. For subservient vaults, the updated credentials are used for data access requests according to the defined relationship. This ensures that access control changes are properly synchronized across interconnected vaults while maintaining security and access consistency. The system automates the propagation of access control updates, reducing manual intervention and potential security gaps in distributed storage environments.
14. The computer readable memory of claim 8 , wherein the first set of storage units is affiliated with a first dispersed storage network (DSN) of a plurality of DSNs; and the second set of storage units is affiliated with a second DSN of the plurality of DSNs.
This invention relates to distributed storage systems, specifically a method for managing data across multiple dispersed storage networks (DSNs). The problem addressed is the need to efficiently distribute and retrieve data across different DSN configurations, ensuring reliability and accessibility while optimizing storage and retrieval operations. The invention involves a computer-readable memory storing executable instructions for a distributed storage system. The system includes a first set of storage units associated with a first DSN and a second set of storage units associated with a second DSN, where each DSN operates independently but may interact to store and retrieve data. The system is designed to handle data distribution, encoding, and retrieval across these separate DSNs, allowing for redundancy and fault tolerance. The instructions enable the system to process data requests, encode data for storage, and retrieve data from the appropriate DSN based on predefined criteria, such as availability, performance, or storage capacity. The invention ensures that data is distributed across multiple DSNs, reducing the risk of data loss and improving system resilience. By leveraging multiple DSNs, the system can optimize storage and retrieval operations, balancing load and improving efficiency. The use of separate DSNs allows for flexible configuration, enabling the system to adapt to different storage requirements and network conditions. This approach enhances data durability and accessibility while maintaining performance and scalability.
Unknown
November 10, 2020
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.